Do you have a question? Post it now! No Registration Necessary. Now with pictures!
- Posted on
- Protection of admin pages
February 6, 2006, 6:23 pm
rate this thread
I put login form on my start page (index.php), and if user put correct
data, script redirect him on page admin/admin.php. That works fine!
But if someone types in browser admin/admin.php it eneteres same page
without login. How to prevent this?
Re: Protection of admin pages
You put login checking on *EVERY* *SINGLE* *PAGE*. (Usually it's
in one file defining a function or class included from everywhere
else). The checking usually looks at session data to see if you're
logged in, and the login hasn't expired, and if not, redirects you
to the login page.
If you're not using sessions, you probably check cookies. Remember
that session data like $_SESSION['logged_in'] = true is hard to
spoof, but $_COOKIE['logged_in'] = true is easy to spoof.
Gordon L. Burditt
- » PHP and dates? Whats wrong with timestamp and julian callendar (for experts)
- — Previous thread in » PHP Scripting Forum